Setting Anonymous access to view reports in Tivoli Common Reporting 2.x Dan Krissell
[email protected] September 7, 2012
Contents 1.
Overview ........................................................................................................................................... 2
2.
Prerequisite ....................................................................................................................................... 2
3.
Define what authority anonymous users have ................................................................................. 2
4.
Turn on anonymous access ............................................................................................................... 3
5.
Require TIP Console users to authenticate with reporting............................................................... 4
6.
Restart TCR........................................................................................................................................ 4
7.
Explicitly deny access on the public folder for Anonymous.............................................................. 4
8.
Result ................................................................................................................................................ 5
9.
Alternative: Allow anonymous users to execute reports ................................................................. 5
1
1. Overview The objective is for users coming in through the TIP portlet to authenticate and gain proper access. For example administrator, author, consumer, etc. However we'd like to be able to give users direct report URL's to view reports without having the user prompted for a password. To achieve this, we'll configure TCR to allow anonymous users to view saved reports only, and not allow functions beyond this. Alternatively, you could perform similar steps and allow anonymous users to also run reports. Or even a combination where some reports they can run, and others they cannot.
2. Prerequisite Familiarize yourself with the security in TCR: https://www.ibm.com/developerworks/mydeveloperworks/files/form/anonymous/api/library/9641dcf4 -c5b8-413c-8ae8-9c461dd84a09/document/44868866-14fb-44e4-a68ce4be59348b53/media/Security%20Permissions%20in%20TCR%202.x.pdf
Follow instructions in the Cognos documentation for editing the out of the box Cognos roles. Remove 'Everyone' from ALL predefined roles, and add the appropriate users and groups to each of the roles. For example, 'readers' can view existing reports, 'consumers' can view reports and run reports, etc.: http://publib.boulder.ibm.com/infocenter/c8bi/v8r4m0/topic/com.ibm.swg.im.cognos.ug_cra.8.4.1.doc /ug_cra_i_SpecifySecuritySettingsAfterInstallation.html%23SpecifySecuritySettingsAfterInstallation
3. Define what authority anonymous users have This step will depend on what amount of access you want anonymous users to have. In our example, anonymous users can only view saved reports. They cannot run reports, delete objects, etc. For this, add 'Everyone' as a member of the Cognos 'Reader' role. 2
a. b. c. d. e. f.
In the TCR web UI, under the 'launch' pulldown, select 'Administration'. Click the 'Security' tab. Click 'Users, Group, and Roles'. Click 'Cognos' Set the properties for the 'Reader' role. Under the 'Members', add 'Everyone.
4. Turn on anonymous access In Cognos Configuration, turn on anonymous access:
Note: To start Cognos Configuration: On Windows, it's located in the start menu On other platforms tipv2Components/TCRComponent/cognos/bin/tcr_cogconfig.sh (replace bin with bin64 for 64 bit TCR images)
3
5. Require TIP Console users to authenticate with reporting Edit TCRComponent/lib/configuration/urlconfiguration.properties There will be a line: urlprovider.servletMapping=/servlet/component Append this: ?&h_CAM_action=logonAs The final line should read: urlprovider.servletMapping=/servlet/component?&h_CAM_action=logonAs
6. Restart TCR
7. Explicitly deny access on the public folder for Anonymous By default, permissions are inherited from the parent folder, the Public folder being the main parent. Set the Public folder to deny execute, write, and set policy: a. Edit the properties of the public folder:
b. Click the 'Permissions' tab. c. Click the 'Add' link. d. Add 'Anonymous'. Note: Anonymous will not show in the list unless you enable the checkbox to show users.
e. Deny permissions to write, execute, and set policy for Anonymous:
4
8. Result Now when you come in through TCR's TIP console, the user will be authenticated, the reporting view will recognize the user. If you instead come in via a direct URL into TCR's Cognos, you will anonymous and can view saved reports with no password prompt.
Note: The gateway URL in Cognos Configuration controls the base URL for report links generated by TCR. Be sure to use /tarf/servlet/dispatch as the URI for anonymous users not to be prompted for a password.
Note: The TCR installed "Common Reporting" is owned by Anonymous. Update the properties of the package to change the owner.
9. Alternative: Allow anonymous users to execute reports If anonymous users should also have authority to excecute reports, continue with the instructions below.
a. In step 3 above, add 'Everyone' to the 'Consumer' Cognos role. 5
b. In step 7 above, for Anonymous users, grant the permission for execute (this will remove the deny for execute):
c. Grant capability to use 'HTMLItem' layout element i. ii. iii. iv. v. vi. vii. viii.
In the TCR web UI, under the 'launch' pulldown, select 'Administration'. Click the 'Security' tab. Click 'Capabilities'. Click on the 'Actions' button on the Report Studio and click on 'Set properties' . Add the 'Consumer' role to have at least traverse permission on Report Studio. Click OK. Drill down a level on the Report Studio capability. Add the 'Consumer' role to have execute and traverse permission to the HtmlItems in the Report function.
6
